Candidate Privacy Notice

Issued: May 24th, 2018Revised: June 7th, 2018

Introduction

We’re glad you’re interested in a career at Duo, and want you to know that your privacy is very important to us. This Candidate Privacy Notice ("Notice") will help you understand what information we collect from you during our recruitment and selection process, why we collect it, how we use it, and what choices you have.
When we talk about “Duo,” “we,” “our,” or “us,” in this Notice, we are referring to Duo Security, Inc. and its group companies, including Duo Security UK Limited. When we talk about “you” or “candidate” in this Notice, we mean anyone who applies for a job or position with us, whether on a permanent or non-permanent basis.
By sharing your personal information with us, you confirm that you have read and understood the terms of this Notice.
If you have any questions, comments or concerns about any aspect of this Notice or how we handle your information, please reach out to our team using the details provided under the “Contact Us” section of this Notice.

Our Privacy Principles

Trust and transparency are foundational to what we do at Duo. We are committed to being open about how we approach privacy at Duo, and aim to communicate with you about privacy in a way that is easy for you to understand. To support these goals, we developed these Privacy Principles to highlight our commitment to responsibly protecting and handling your personal information. Our Privacy Principles help guide decisions we make at every level of our organization, every day, so that we can fulfill our mission to democratize security in a way that is consistent with our core values as well as our legal obligations.

Our core Privacy Principles are:

We respect individuals’ privacy by promoting informed choice.

We collect only the personal information we need, and “pseudonymize” or get rid of what we don’t.

We are transparent about how we use personal information and accountable for how we and our partners use it.

Who we are

We provide security solutions, including multi-factor authentication, trusted access and secure single sign-on tools for our customers. Find out more here.
Duo Security, Inc. is a company incorporated under the laws of the State of Delaware, USA and whose principal office is located at 123 North Ashley Street, Suite #200, Ann Arbor, Michigan 48104, USA. Duo Security UK Limited (company no: 09581350) is a company incorporated under the laws of England and Wales whose registered address is located at 6th Floor One London Wall, London, United Kingdom, EC2Y 5EB.

What personal information we collect and how

We know that personal information is defined slightly differently across the world. That said, at Duo, we define it as any information that could be used to identify you or another individual. We think that this broad definition enables us to better respect your privacy and safeguard the information entrusted to us.
The personal information that we may collect about you broadly falls into three categories - information we collect automatically, information you provide, and information provided to us by third parties.

Information we collect automatically - Our website (the "Website") has a Careers page that you can visit and search for jobs without providing personal information. However, like most websites, the Duo Careers page automatically collects certain information from your device when you visit our Website, using cookies and similar tracking technologies (collectively “Cookies”). For more details about the personal information we collect through the Website, please see our Website Privacy Notice. For more information about the types of Cookies we use, why, and how you can control Cookies, please see our Cookie Notice.

Information you provide - As permitted by local laws, we may collect the following information from you when you apply for one of our roles:

Identification and contact details. This includes information such as your name, address, email address, phone number and other contact information, as well as your gender, date of birth, nationality or nationalities, and national identifiers (for example, national ID, passport, or social security number).

Employment history. This includes information about your previous employers and job titles.

Background information. This includes information like your academic and professional qualifications, education, details included in your CV or résumé (some of which could include details about memberships or interests that reveal sensitive personal information about you), transcripts and employment references.

Reference information. This includes information about your professional references that you share with us (including their name, contact information and job title, though it is your responsibility to get your references’ consent to share their personal information with us), as well as information we receive from background checks (when we have them completed for a role), and information provided by other third parties.

Previous applications and roles with us. This includes information about any prior applications you may have made for a position with us or any previous employment history with us.

Your immigration or visa status. This includes information that would let us know if you are authorized or able to become authorized to work for one of our group companies.

Other information you voluntarily provide. This includes information that you may provide throughout the recruitment process, including, for example, through assessment exercises and interviews.

Unless permitted or required by local laws, during the recruitment process we generally try not to collect information that reveals your racial or ethnic origin, religious, political or philosophical beliefs or trade union membership; genetic data; biometric data for the purposes of unique identification; or information concerning your health/sex life ("Sensitive Personal Information").

To be clear however, in some cases we may need to collect, or request on a voluntary basis, some Sensitive Personal Information from you for legitimate recruitment and employment related purposes. For example, we may ask for information about your racial or ethnic origin, gender and disabilities for the purposes of equal opportunities monitoring, to comply with anti-discrimination laws and for government reporting obligations. We may also ask for information about your physical or mental condition to consider accommodations for the recruitment process or subsequent job role. You may also choose to voluntarily provide other Sensitive Personal Information during the recruitment process. If required by local law, we will request your consent to collect and process any of your Sensitive Personal Information.

Information provided to us by third parties - As permitted by local laws, we may collect the following personal information about you from third-party sources:

Information provided by your references.
Background information provided or confirmed by your academic institutions and training or certification providers.
Information provided by background checking agencies and other external database holders (for example credit reference agencies and professional or other sanctions registries), including criminal records data.
Information provided by recruitment or executive search agencies.
Information collected from publicly available sources, including any social media platforms you use (such as LinkedIn) or other information available online online (as part of this, we may contact any mutual connections that are evident from publicly available information).

How we use the personal information we collect

We use your personal information for recruitment and hiring purposes. More specifically, we use your personal information to determine your qualifications for employment and to reach a hiring decision. This includes assessing your skills, qualifications and background for a particular role, verifying the accuracy of the information provided to us, carrying out reference checks or background checks (where relevant to the role and as permitted by local laws), and to generally manage the hiring process and communicate with you about it.

If you are accepted for a role at Duo, the information collected during the recruitment process will form part of your ongoing employment record and will be processed as set forth in our Employee Privacy Notice.

If you are not accepted for a role at Duo, we will not keep your application materials longer than is necessary or appropriate for recruitment purposes or as permitted under local laws, and we will always honor your request for us to delete your personal information.

For more information on our data retention practices, please see the “Data retention” section.

Who we share your personal information with

We may share the information described in this Notice with others. Specifically, as part of our recruitment and hiring practices, we will share your personal data with our group companies as needed, as well as third parties who provide services on our behalf. For example, we may share your personal data with third parties we use to perform recruiting services such as employment reference checks, application tracking, and employment screenings; perform hiring services such as payroll and benefits administration; and administer participation of our employees in share-based or other incentive plans which we may offer.

The trusted third parties with whom we share your personal information include:

Our group companies. We share information with entities that we control, are controlled by us, or are under our common control, to provide our Services. Duo Security, Inc. is the party responsible for overall management and use of personal information by these affiliated parties.

Our third party service providers and partners. We share information with service providers and partners who help us carry out our recruitment and hiring practices. These service providers help us with things like (i) performing recruiting services such as employment reference checks, application tracking, and employment screenings; (ii) performing hiring services such as payroll and benefits administration; and (iii) administering participation of our employees in share-based or other incentive plans which we may offer.

A competent law enforcement body, regulatory, government agency, court or other third party. We will share personal information where we have a good faith belief that doing so is necessary (i) to comply with applicable law, (ii) to enforce our terms and conditions; (iii) to protect our rights, privacy, safety or property, and/or those of our affiliates, You or others; and (iv) to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.

Other third parties. We will share information with third parties in the event of any reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings), in which case we will inform the acquiring or resulting company that it must use your personal information only for the purposes disclosed in this Notice.

How we keep your personal information secure

Security is what we do, and we take the security of the personal information we have about you very seriously. We use appropriate administrative, organizational, technical and physical safeguards that are designed to protect the personal information we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information and to help ensure that your data is safe, secure, and only available to you and to those with authorized access (as decided by your organization administrator or you, as appropriate). However, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so you should take care in deciding what information you send us in this way.

How long we keep your personal information

We only keep your personal information for as long as we have an ongoing legitimate business need to do so (for example, to fulfill the purposes outlined in this Notice or as otherwise permitted or required by local law). When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it. If this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

Generally this means that we will retain your personal information:

consistent with the retention periods set out in our Employee Privacy Notice, if you become our employee; or

for 6 months after confirming that your application was unsuccessful if you are a candidate from the European Economic Area, unless local law requires, or you request, that we delete your personal information sooner. However, as noted in the “How we stay in touch” section below, we will keep your personal information for up to 12 months to stay in touch with you about other job opportunities if you ask us to do so or longer if local law allows us to do so.

How we stay in touch

If you have asked us to stay in touch with you about other job opportunities, we will generally do so for up to 12 months or longer if local law allows us to do so. We may keep in touch with you in a variety of ways, including e-mail, post, SMS, via social media platforms and by phone, but, again, only if you have asked us to do so.

When you ask us to stay in touch with you, we will:

Never pass your personal information to anyone outside the Duo group companies for them to use for marketing purposes; and

Give you the option to stop receiving communications about opportunities at any time.

International data transfers

We are headquartered in the United States and operate internationally. Therefore, you should be aware that we may transfer or process your personal information in countries other than the country in which you are a resident. These countries may have data protection laws that are different than the laws of your country, and in some cases may not be as protective.

Specifically, our group companies and many of the third party service providers we rely on to support our recruitment and hiring practices are based in, and have servers, located in the United States and in other countries around the world. This means that when we collect your personal information we may process it in any number of places around the world.

Wherever your personal information is transferred, stored or processed by us, we will take reasonable steps to safeguard the privacy of your personal information as indicated in this Notice. Additionally, when using or disclosing personal information transferred from the European Economic Area, we use standard contractual clauses approved by the European Commission, adopt other means under applicable law for ensuring adequate safeguards, or obtain your consent.

If you would like a copy of our standard contractual clauses or more information on the appropriate safeguards we have implemented with our third party service providers and partners, please reach out to us using the details provided under the “Contact Us” section of this Notice.

Legal basis for processing (European Economic Area candidates only)

If you are candidate from the European Economic Area, we have a responsibility to tell you about the legal basis we rely on to process your personal information. As it relates to our recruitment and hiring process, our legal grounds for processing your personal information generally are one or more of the following:

our legitimate interests as a potential employer, and these interests are not overridden by your data protection interests or fundamental rights and freedoms, particularly taking into consideration the data privacy and security safeguards as discussed in the “How we keep your personal information secure” section of this Notice.

to comply with local immigration and employment laws and regulations.

to take steps prior to entering into a formal employment relationship with you if you are considered for employment.

that you have made the data public, where relevant.

your consent, where given (but note that you have the right to withdraw your consent at any time);

to protect our rights, privacy, safety or property, and/or those of our affiliates, You or others.

If we ask you to provide personal Information to comply with a legal requirement or to enter into a contract with you, we will make this clear at the relevant time and let you know if the personal information is mandatory or not (as well the possible consequences if you do not provide it).

If you have questions or need further information about the legal grounds we rely on to collect and use your personal information, please reach out to us using the details provided under the “Contact Us” section of this Notice.

Your rights, controls and choices

You can access, review, change, update or delete your personal information at any time.

If you are resident in the European Economic Area, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information.

If we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Please note, though, that withdrawing your consent will not impact the lawfulness of any processing we conducted before you withdrew your consent, nor will it impact the processing of your personal information we conducted in reliance on lawful processing grounds other than consent.

You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. Contact details for data protection authorities in the EEA are available here.

If you would like to exercise any of your rights relating to your personal information, please start by contacting us using the contact details provided under the “Contact Us” section of this Notice.

We respond to all requests we receive from individuals wishing to exercise their data protection rights under applicable data protection laws.

Changes to this Privacy Notice

From time to time, we may change this Privacy Notice in response to changing technologies, industry practices, regulatory requirements or for other purposes. We will provide notice to you if these changes are material (this notice may be by email to your organization’s administrator or you at the last email provided us, by posting notice of such changes on the Website, or by other means, consistent with applicable law) and, if required by applicable law, we will obtain your consent.

You can see when this Notice was last updated by checking the “last updated” date displayed at the top of this Notice.

Contact Us

We encourage you to contact us if you have any comments or questions about this Privacy Notice or our related privacy practices. You may reach us at privacy@duosecurity.com or at our mailing address below: